Bob Relyea wrote: > This point was not lost on the builders of such tools as SSH and PGP. > The ability to do strong authentication was built in. Both of these > products warn when encountering an new and untrusted key. It was > expected that you as a user would then authenticate the key. In practice > even intellegent people did not know what that means, and now blithely > assume that because the connection is encrypted they are significantly > more secure (which they are not).
After almost 3 years messing around with PKI for more then just server certificates I really don't think PKI is any better then SSH, in fact it could give you a worst sense of security, no finger prints are ever warned against so you wouldn't know if people have switched them, the little lock is lit up so the person must be trustworthy to hand over my $500, $5000, $50000 what ever to right? The majority of attacks for credit card numbers and other information are on servers or attacks on people, but very few if any attacks actually try intercepting traffic. After all when was the last time you ever heard of anyone proxying SSH traffic to capture information? The reason they go after the servers/people rather then the link is because it's the easiest option and you net a bigger gain of information then you might by intercepting traffic (unless you happen to be govt sanctioned with access to packets on major switches) I'm with Ian on the "placebo security" comment, until certificates are formally classed into categories on what the hell it actually means instead of marketing speak for "we want more money so we'll make it sound more secure then the next guy even though we're doing less then him but no one will know/care unless they read through the 500 page CPS we neatly typed up and paid a lot of money to get audited"... -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers "In the long run the pessimist may be proved right, but the optimist has a better time on the trip." _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
